Comments (5)
It works because patroni sets the environment variable PGPASSFILE to point to the new pgpass file. It would be a a poor decision to overwrite user's .pgpass with our credentials.
from patroni.
OK, that works for the name, but the problem is that pgpass gets dropped in the CWD from which patroni was called, regardless of where that is. This causes some issues:
- If patroni is called from inside the data directory, that will cause pg_basebackup to fail, because "directory is not empty"
- if patroni is called from an insecure directory (like /tmp/) then an attacker can subvert the file permissions and capture the passwords.
... so I think it would be a better idea to drop the file in a specific directory, or at least provide that as a config option. No?
from patroni.
Yeah, those seem to be good corner cases we haven't covered yet. Would it be better to just write the file to the home directory of the user that launched patroni? After all, it has the same privacy expectations as .pgpass.
from patroni.
Yeah, that would work, provided that we can know the homedir. We should have some kind of fallback if it's undefined. Also, a config variable for password_directory, I think
from patroni.
pgpass
is now configurable under postgresql
from patroni.
Related Issues (20)
- failsafe_mode don't work when k8s return 409 HOT 1
- cp in patroni 3.2.2 could not finish archiving the wal log. HOT 2
- FATAL: could not connect to the primary server: connection to server at "x.x.x.x", port 5432 failed: session is read-only HOT 3
- Failed to get list of machines from V3<Unknown error: '404 page not found', HOT 1
- patronictl does not work HOT 1
- Patroni synchronous replication not working HOT 2
- DOC TIP on pg_ctl and wal_keep_segments HOT 1
- Need Help in Setting up docker-compose-citus.yaml HOT 2
- RAFT - failed to update leader lock HOT 1
- Acceptance tests fail on Debian unstable for Postgres < 12 HOT 5
- Failed to determine PostgreSQL state from the connection HOT 1
- Parameters such as max_connections, max_replication_slots, etc changed. No apparent way to find out how, by who, what or when change occurred. HOT 1
- Patroni changed leader for some reason HOT 12
- Do not check if Port is already in use with --validate-config HOT 1
- Migrate setup.py to pyproject.toml HOT 1
- max_connection value doesn't work unless you do with patronictl edit-config HOT 3
- List order of sync_standby is inconsistent with synchronous_standby_names
- Unexpected state for replicatefrom after switchover HOT 2
- patroni-consul RPM requires consul package HOT 2
- 3.2.2 throwing unexpected exception HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from patroni.